AnsweredAssumed Answered

If firewall or loadBalancer like Haproxy  terminate ssl, SSLab evaluate it without Ciphersuite?

Question asked by 강유 최 on Jul 31, 2018

I am testing ssllabs tests of some operating system. We operate 3phase of dev,staging and production.

When I tested staging as "staging-sslab.dap.lgcns.com", we got A+ grade from ssllab tests.

But, When I tested production as "dap.lgcns.com", we got F grade from ssllab tests.

 

When I tested staging by other tools as "p5-ssl-tools", Staging had following message:

 

-- staging-sslab.dap.lgcns.com port 443
 * maximum SSL version  : TLSv1_2 (SSLv23)
 * supported SSL versions with handshake used and preferred cipher(s):
   * handshake protocols ciphers
   * SSLv23    TLSv1_2   ECDHE-RSA-AES256-GCM-SHA384
   * TLSv1_2   TLSv1_2   ECDHE-RSA-AES256-GCM-SHA384
   * TLSv1_1   FAILED: SSL connect attempt failed because of handshake problems error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol versio                     n
   * TLSv1     FAILED: SSL connect attempt failed because of handshake problems error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol versio                     n
   * SSLv3     FAILED: SSL connect attempt failed because of handshake problems error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failu                     re

 * cipher order by      : server


 * SNI supported        : certificate verify fails without SNI
 * certificate verified : ok (needs SNI)

 

When I tested production by other tools as "p5-ssl-tools", Production had following message:

-- dap.lgcns.com port 443
 * maximum SSL version  : TLSv1_2 (SSLv23)
 * supported SSL versions with handshake used and preferred cipher(s):
   * handshake protocols ciphers
   * SSLv23    TLSv1_2   ECDHE-RSA-AES256-GCM-SHA384
   * TLSv1_2   TLSv1_2   ECDHE-RSA-AES256-GCM-SHA384
   * TLSv1_1   TLSv1_1   ECDHE-RSA-AES256-SHA
   * TLSv1     TLSv1     ECDHE-RSA-AES256-SHA
   * SSLv3     FAILED: SSL connect attempt failed because of handshake problems error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

* cipher order by      : client


 * SNI supported        : certificate verify fails without SNI
 * certificate verified : ok (needs SNI)

 

 

Apache ssl config of Staging and Production  is same, but cipher order by is different? why?

 

Bye the way, Staging consist of one server without no firewall. Otherwise, Production consist of HA (two server) with firewall.

 

How we can get A+ like staging? What could I do?

Outcomes